From 99b8a3465e9339c02f52fd1f014099f152df133f Mon Sep 17 00:00:00 2001 From: Philip Kotliyakov Date: Mon, 25 Aug 2025 07:05:53 +0300 Subject: [PATCH 1/7] add parsing of the new single namespace var to cm and env var --- .../cap-app-proxy/_all_resources.yaml | 2 ++ .../_components/cap-app-proxy/_config.yaml | 1 + .../cap-app-proxy/argo-cd/_all.yaml | 3 ++ .../cap-app-proxy/argo-cd/_role.yaml | 28 +++++++++++++++++++ .../cap-app-proxy/argo-cd/_rolebinding.yaml | 20 +++++++++++++ .../_main-container.yaml | 7 +++++ .../_components/gitops-operator/_env.yaml | 1 + .../gitops-operator/crds/_all.yaml | 2 ++ .../gitops-operator/rbac/_all.yaml | 2 ++ .../templates/codefresh-cm.yaml | 1 + charts/gitops-runtime/values.yaml | 2 ++ 11 files changed, 69 insertions(+) create mode 100644 charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_all.yaml create mode 100644 charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_role.yaml create mode 100644 charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_rolebinding.yaml diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/_all_resources.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/_all_resources.yaml index 479914c47..ff455cf52 100644 --- a/charts/gitops-runtime/templates/_components/cap-app-proxy/_all_resources.yaml +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/_all_resources.yaml @@ -10,4 +10,6 @@ {{ include "cap-app-proxy.resources.service" . }} --- {{ include "cap-app-proxy.resources.sa" .}} +--- + {{ include "argo-cd.namespaced-rbac.all" . }} {{- end }} \ No newline at end of file diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/_config.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/_config.yaml index 7751eb84e..7160728f6 100644 --- a/charts/gitops-runtime/templates/_components/cap-app-proxy/_config.yaml +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/_config.yaml @@ -11,6 +11,7 @@ env: {{ .Values.config.env | quote}} isConfigurationRuntime: {{ .Values.global.runtime.isConfigurationRuntime | quote }} isExternalArgoCD: {{ .Values.global.runtime.isExternalArgoCD | quote }} runtimeName: {{ required "global.runtime.name is required" .Values.global.runtime.name | quote}} +runtimeSingleNamespace: {{ .Values.app-proxy.singleNamespace | quote }} skipGitPermissionValidation: {{ .Values.config.skipGitPermissionValidation | quote }} logLevel: {{ .Values.config.logLevel | quote }} {{- $enrichmentValues := get .Values "image-enrichment" }} diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_all.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_all.yaml new file mode 100644 index 000000000..1cc7a7024 --- /dev/null +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_all.yaml @@ -0,0 +1,3 @@ +{{- include "argo-cd.namespaced-rbac.role" . }} +--- +{{- include "argo-cd.namespaced-rbac.rolebinding" . }} \ No newline at end of file diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_role.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_role.yaml new file mode 100644 index 000000000..7a7a97ef2 --- /dev/null +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_role.yaml @@ -0,0 +1,28 @@ +{{- if .Values.app-proxy.singleNamespace }} +{{- define "argo-cd.namespaced-rbac.role" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: argocd-namespaced-role + namespace: {{ .Release.Namespace }} + labels: + {{- include "codefresh-gitops-runtime.labels" . | nindent 4 }} + codefresh.io/component: argocd-namespaced-rbac +rules: +- apiGroups: [""] + resources: ["pods", "services", "endpoints", "persistentvolumeclaims", "events", "configmaps", "secrets", "serviceaccounts"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] +- apiGroups: ["apps"] + resources: ["deployments", "replicasets", "statefulsets", "daemonsets"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] +- apiGroups: ["batch"] + resources: ["jobs", "cronjobs"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] +- apiGroups: ["networking.k8s.io"] + resources: ["ingresses", "networkpolicies"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] +- apiGroups: ["rbac.authorization.k8s.io"] + resources: ["roles", "rolebindings"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_rolebinding.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_rolebinding.yaml new file mode 100644 index 000000000..32a593f91 --- /dev/null +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_rolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.app-proxy.singleNamespace }} +{{- define "argo-cd.namespaced-rbac.rolebinding" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: argocd-namespaced-rolebinding + namespace: {{ .Release.Namespace }} + labels: + {{- include "codefresh-gitops-runtime.labels" . | nindent 4 }} + codefresh.io/component: argocd-namespaced-rbac +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: argocd-namespaced-role +subjects: +- kind: ServiceAccount + name: default + namespace: {{ .Release.Namespace }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/environment-variables/_main-container.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/environment-variables/_main-container.yaml index f59f769ef..b00b6afb9 100644 --- a/charts/gitops-runtime/templates/_components/cap-app-proxy/environment-variables/_main-container.yaml +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/environment-variables/_main-container.yaml @@ -109,6 +109,12 @@ RUNTIME_NAME: configMapKeyRef: name: cap-app-proxy-cm key: runtimeName +RUNTIME_SINGLE_NAMESPACE: + valueFrom: + configMapKeyRef: + name: cap-app-proxy-cm + key: runtimeSingleNamespace + optional: true RUNTIME_TOKEN: valueFrom: secretKeyRef: @@ -210,6 +216,7 @@ IRW_JIRA_ENRICHMENT_TASK_IMAGE: name: cap-app-proxy-cm key: enrichmentJiraEnrichmentImage optional: true + NODE_EXTRA_CA_CERTS: /app/config/all/all.cer {{- if gt (int .Values.replicaCount) 1 }} LEADER_ID: diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/_env.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/_env.yaml index f2e10f745..113062c01 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/_env.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/_env.yaml @@ -15,6 +15,7 @@ COMMIT_STATUS_POLLING_INTERVAL: {{ .Values.config.commitStatusPollingInterval }} WORKFLOW_MONITOR_POLLING_INTERVAL: {{ .Values.config.workflowMonitorPollingInterval }} MAX_CONCURRENT_RELEASES: {{ .Values.config.maxConcurrentReleases }} PROMOTION_WRAPPER_TEMPLATE: {{ .Values.config.promotionWrapperTemplate | quote }} +RUNTIME_SINGLE_NAMESPACE: {{ .Values.app-proxy.singleNamespace }} {{- end }} {{- define "gitops-operator.resources.environment-variables.defaults" -}} diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/crds/_all.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/crds/_all.yaml index 956c1b6fc..22474c18a 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/crds/_all.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/crds/_all.yaml @@ -14,7 +14,9 @@ --- {{- include "gitops-operator.crds.product" $context }} --- + {{- if not .Values.app-proxy.singleNamespace }} {{- include "gitops-operator.crds.restricted-gitsource" $context }} + {{- end }} --- {{- include "gitops-operator.crds.promotion-policy" $context }} {{- end }} diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_all.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_all.yaml index 8760f4220..f0054a81b 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_all.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_all.yaml @@ -13,7 +13,9 @@ --- {{- include "gitops-operator.resources.leader-election-rbac" $context }} --- + {{- if not .Values.app-proxy.singleNamespace }} {{- include "gitops-operator.resources.restricted-git-source-rbac" $context }} + {{- end }} --- {{- include "gitops-operator.resources.rbac-operator" $context }} {{- end }} diff --git a/charts/gitops-runtime/templates/codefresh-cm.yaml b/charts/gitops-runtime/templates/codefresh-cm.yaml index d070c4d67..17ecd2771 100644 --- a/charts/gitops-runtime/templates/codefresh-cm.yaml +++ b/charts/gitops-runtime/templates/codefresh-cm.yaml @@ -15,4 +15,5 @@ data: ingressController: {{ .Values.global.runtime.ingress.className | default "" | quote }} ingressHost: {{ include "codefresh-gitops-runtime.ingress-url" . }} isConfigurationRuntime: {{ .Values.global.runtime.isConfigurationRuntime | quote }} + singleNamespace: {{ .Values.app-proxy.singleNamespace | quote }} version: {{ .Chart.AppVersion }} \ No newline at end of file diff --git a/charts/gitops-runtime/values.yaml b/charts/gitops-runtime/values.yaml index 9035df0a1..8acfd3992 100644 --- a/charts/gitops-runtime/values.yaml +++ b/charts/gitops-runtime/values.yaml @@ -519,6 +519,8 @@ tunnel-client: #----------------------------------------------------------------------------------------------------------------------- app-proxy: replicaCount: 1 + # -- Runtime single namespace mode. When true, runtime operates in single namespace scope. + singleNamespace: false # -- Image enrichment process configuration image-enrichment: # -- Enable or disable enrichment process. Please note that for enrichemnt, argo-workflows has to be enabled as well. From effb5b665bb18197c3e15fc0bdda702710a4fb24 Mon Sep 17 00:00:00 2001 From: Philip Kotliyakov Date: Mon, 25 Aug 2025 07:25:28 +0300 Subject: [PATCH 2/7] fixed parsing --- .../templates/_components/cap-app-proxy/_config.yaml | 2 +- .../templates/_components/cap-app-proxy/argo-cd/_role.yaml | 2 +- .../_components/cap-app-proxy/argo-cd/_rolebinding.yaml | 2 +- .../templates/_components/gitops-operator/_env.yaml | 2 +- .../templates/_components/gitops-operator/rbac/_all.yaml | 2 +- charts/gitops-runtime/templates/codefresh-cm.yaml | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/_config.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/_config.yaml index 7160728f6..5937d907a 100644 --- a/charts/gitops-runtime/templates/_components/cap-app-proxy/_config.yaml +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/_config.yaml @@ -11,7 +11,7 @@ env: {{ .Values.config.env | quote}} isConfigurationRuntime: {{ .Values.global.runtime.isConfigurationRuntime | quote }} isExternalArgoCD: {{ .Values.global.runtime.isExternalArgoCD | quote }} runtimeName: {{ required "global.runtime.name is required" .Values.global.runtime.name | quote}} -runtimeSingleNamespace: {{ .Values.app-proxy.singleNamespace | quote }} +runtimeSingleNamespace: {{ (get .Values "app-proxy").singleNamespace | quote }} skipGitPermissionValidation: {{ .Values.config.skipGitPermissionValidation | quote }} logLevel: {{ .Values.config.logLevel | quote }} {{- $enrichmentValues := get .Values "image-enrichment" }} diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_role.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_role.yaml index 7a7a97ef2..4249910a9 100644 --- a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_role.yaml +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_role.yaml @@ -1,4 +1,4 @@ -{{- if .Values.app-proxy.singleNamespace }} +{{- if (get .Values "app-proxy").singleNamespace }} {{- define "argo-cd.namespaced-rbac.role" }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_rolebinding.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_rolebinding.yaml index 32a593f91..9e505deaf 100644 --- a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_rolebinding.yaml +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_rolebinding.yaml @@ -1,4 +1,4 @@ -{{- if .Values.app-proxy.singleNamespace }} +{{- if (get .Values "app-proxy").singleNamespace }} {{- define "argo-cd.namespaced-rbac.rolebinding" }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/_env.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/_env.yaml index 113062c01..1321e06c5 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/_env.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/_env.yaml @@ -15,7 +15,7 @@ COMMIT_STATUS_POLLING_INTERVAL: {{ .Values.config.commitStatusPollingInterval }} WORKFLOW_MONITOR_POLLING_INTERVAL: {{ .Values.config.workflowMonitorPollingInterval }} MAX_CONCURRENT_RELEASES: {{ .Values.config.maxConcurrentReleases }} PROMOTION_WRAPPER_TEMPLATE: {{ .Values.config.promotionWrapperTemplate | quote }} -RUNTIME_SINGLE_NAMESPACE: {{ .Values.app-proxy.singleNamespace }} +RUNTIME_SINGLE_NAMESPACE: {{ (get .Values "app-proxy").singleNamespace }} {{- end }} {{- define "gitops-operator.resources.environment-variables.defaults" -}} diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_all.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_all.yaml index f0054a81b..db0a7c7ae 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_all.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/rbac/_all.yaml @@ -13,7 +13,7 @@ --- {{- include "gitops-operator.resources.leader-election-rbac" $context }} --- - {{- if not .Values.app-proxy.singleNamespace }} + {{- if not (get .Values "app-proxy").singleNamespace }} {{- include "gitops-operator.resources.restricted-git-source-rbac" $context }} {{- end }} --- diff --git a/charts/gitops-runtime/templates/codefresh-cm.yaml b/charts/gitops-runtime/templates/codefresh-cm.yaml index 17ecd2771..3fba68b95 100644 --- a/charts/gitops-runtime/templates/codefresh-cm.yaml +++ b/charts/gitops-runtime/templates/codefresh-cm.yaml @@ -15,5 +15,5 @@ data: ingressController: {{ .Values.global.runtime.ingress.className | default "" | quote }} ingressHost: {{ include "codefresh-gitops-runtime.ingress-url" . }} isConfigurationRuntime: {{ .Values.global.runtime.isConfigurationRuntime | quote }} - singleNamespace: {{ .Values.app-proxy.singleNamespace | quote }} + singleNamespace: {{ (get .Values "app-proxy").singleNamespace | quote }} version: {{ .Chart.AppVersion }} \ No newline at end of file From df2f07e9d4500667d944784c7705cd117a6ccaf7 Mon Sep 17 00:00:00 2001 From: Philip Kotliyakov Date: Mon, 25 Aug 2025 07:29:50 +0300 Subject: [PATCH 3/7] minor parsing fix --- .../templates/_components/gitops-operator/crds/_all.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/crds/_all.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/crds/_all.yaml index 22474c18a..d7d598f9b 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/crds/_all.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/crds/_all.yaml @@ -14,7 +14,7 @@ --- {{- include "gitops-operator.crds.product" $context }} --- - {{- if not .Values.app-proxy.singleNamespace }} + {{- if not (get .Values "app-proxy").singleNamespace }} {{- include "gitops-operator.crds.restricted-gitsource" $context }} {{- end }} --- From 77089927a16903957743b805e8e5b7dea014f0f7 Mon Sep 17 00:00:00 2001 From: Philip Kotliyakov Date: Mon, 25 Aug 2025 07:37:36 +0300 Subject: [PATCH 4/7] fixed conditional including of role and role binding --- .../templates/_components/cap-app-proxy/argo-cd/_all.yaml | 4 +++- .../templates/_components/cap-app-proxy/argo-cd/_role.yaml | 2 -- .../_components/cap-app-proxy/argo-cd/_rolebinding.yaml | 2 -- 3 files changed, 3 insertions(+), 5 deletions(-) diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_all.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_all.yaml index 1cc7a7024..1506617b6 100644 --- a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_all.yaml +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_all.yaml @@ -1,3 +1,5 @@ +{{- if (get .Values "app-proxy").singleNamespace }} {{- include "argo-cd.namespaced-rbac.role" . }} --- -{{- include "argo-cd.namespaced-rbac.rolebinding" . }} \ No newline at end of file +{{- include "argo-cd.namespaced-rbac.rolebinding" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_role.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_role.yaml index 4249910a9..9d1389646 100644 --- a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_role.yaml +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_role.yaml @@ -1,4 +1,3 @@ -{{- if (get .Values "app-proxy").singleNamespace }} {{- define "argo-cd.namespaced-rbac.role" }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -24,5 +23,4 @@ rules: - apiGroups: ["rbac.authorization.k8s.io"] resources: ["roles", "rolebindings"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] -{{- end }} {{- end }} \ No newline at end of file diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_rolebinding.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_rolebinding.yaml index 9e505deaf..7d320d7ac 100644 --- a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_rolebinding.yaml +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_rolebinding.yaml @@ -1,4 +1,3 @@ -{{- if (get .Values "app-proxy").singleNamespace }} {{- define "argo-cd.namespaced-rbac.rolebinding" }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -16,5 +15,4 @@ subjects: - kind: ServiceAccount name: default namespace: {{ .Release.Namespace }} -{{- end }} {{- end }} \ No newline at end of file From 3fa40524246e4366fd5003981d7be20626b0d7b4 Mon Sep 17 00:00:00 2001 From: Philip Kotliyakov Date: Mon, 25 Aug 2025 07:42:05 +0300 Subject: [PATCH 5/7] added app-proxy context --- charts/gitops-runtime/templates/gitops-operator/deployment.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/charts/gitops-runtime/templates/gitops-operator/deployment.yaml b/charts/gitops-runtime/templates/gitops-operator/deployment.yaml index 81b566099..6038cbbca 100644 --- a/charts/gitops-runtime/templates/gitops-operator/deployment.yaml +++ b/charts/gitops-runtime/templates/gitops-operator/deployment.yaml @@ -5,6 +5,7 @@ {{- $_ := set $context "Values" $vals }} {{- $_ := set $context.Values "global" (deepCopy (get .Values "global")) }} +{{- $_ := set $context.Values "app-proxy" (deepCopy (get .Values "app-proxy")) }} {{- if and (not (index .Values "argo-cd" "enabled")) }} {{- if and (eq (index .Values "global" "external-argo-cd" "auth" "type") "token") }} From 370115e65cd181f6389fb1561f8140d2c9fda34f Mon Sep 17 00:00:00 2001 From: Philip Kotliyakov Date: Mon, 25 Aug 2025 07:50:52 +0300 Subject: [PATCH 6/7] fixed something --- .../templates/_components/cap-app-proxy/_config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/_config.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/_config.yaml index 5937d907a..e615c50d1 100644 --- a/charts/gitops-runtime/templates/_components/cap-app-proxy/_config.yaml +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/_config.yaml @@ -11,7 +11,7 @@ env: {{ .Values.config.env | quote}} isConfigurationRuntime: {{ .Values.global.runtime.isConfigurationRuntime | quote }} isExternalArgoCD: {{ .Values.global.runtime.isExternalArgoCD | quote }} runtimeName: {{ required "global.runtime.name is required" .Values.global.runtime.name | quote}} -runtimeSingleNamespace: {{ (get .Values "app-proxy").singleNamespace | quote }} +runtimeSingleNamespace: {{ .Values.singleNamespace | quote }} skipGitPermissionValidation: {{ .Values.config.skipGitPermissionValidation | quote }} logLevel: {{ .Values.config.logLevel | quote }} {{- $enrichmentValues := get .Values "image-enrichment" }} From f31c2230b24fb215bce7e37972b697eb02fcff1b Mon Sep 17 00:00:00 2001 From: Philip Kotliyakov Date: Mon, 25 Aug 2025 09:12:37 +0300 Subject: [PATCH 7/7] added argocd-manager service account --- .../_components/cap-app-proxy/argo-cd/_all.yaml | 2 ++ .../cap-app-proxy/argo-cd/_rolebinding.yaml | 2 +- .../cap-app-proxy/argo-cd/_serviceaccount.yaml | 10 ++++++++++ 3 files changed, 13 insertions(+), 1 deletion(-) create mode 100644 charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_serviceaccount.yaml diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_all.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_all.yaml index 1506617b6..d731eadeb 100644 --- a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_all.yaml +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_all.yaml @@ -1,4 +1,6 @@ {{- if (get .Values "app-proxy").singleNamespace }} +{{- include "argo-cd.namespaced-rbac.serviceaccount" . }} +--- {{- include "argo-cd.namespaced-rbac.role" . }} --- {{- include "argo-cd.namespaced-rbac.rolebinding" . }} diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_rolebinding.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_rolebinding.yaml index 7d320d7ac..28c529499 100644 --- a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_rolebinding.yaml +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_rolebinding.yaml @@ -13,6 +13,6 @@ roleRef: name: argocd-namespaced-role subjects: - kind: ServiceAccount - name: default + name: argocd-manager namespace: {{ .Release.Namespace }} {{- end }} \ No newline at end of file diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_serviceaccount.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_serviceaccount.yaml new file mode 100644 index 000000000..1f94e491e --- /dev/null +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/argo-cd/_serviceaccount.yaml @@ -0,0 +1,10 @@ +{{- define "argo-cd.namespaced-rbac.serviceaccount" }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: argocd-manager + namespace: {{ .Release.Namespace }} + labels: + {{- include "codefresh-gitops-runtime.labels" . | nindent 4 }} + codefresh.io/component: argocd-namespaced-rbac +{{- end }}